iPad 3G Support Insecure SMTP Server

If you want to send insecure email from your iPad, there’s an app for that –or at least an open port. After setting up my iPad 3G I noticed that I had an extra SMTP server listed. This server was both unprotected and insecure. For the uninitiated an SMTP server is used for sending email. Historically this was a service on Port 25 that was provided by your ISP. In the case of an iPad 3G with AT&T service, AT&T is acting as your ISP and would traditionally be the one to provide you with both an email address and an SMTP server to use with it. The iPad data plan (thankfully) does not come with an email account. It looks like that legacy is finally coming to an end. There are too many good alternatives if you want an email address for you to rely on your ISP.

By the way, never use the email address that comes with your ISP. It ties you into your ISP service and you will have to change your email address when you change ISPs. Get a GMail, Yahoo, or some other free email address for your personal email. Or better yet, let me register a domain for you. But I digress.

So ISPs usually provide email and do so without any protection. The idea is that anyone who is on their network would be known and trusted. In the case of the iPad they are figuring that the iPad is trusted. Untrusted computer can take advantage of open mail servers to send spam. The problem is that this model is no longer viable. If I use this open mail server to send mail from my personal domain then I have to register it as a trusted source for my email. Otherwise a smart mail server would look at my SPF DNS settings and know that the email is not really from me. It will probably think it is spam. All well-configured mail servers should look at SPF records and reject mail from falsified domains sources.

A good email server should also support SSL (TLS) to allow for an encrypted tunnel between my device and the server. You connect to your SMTP server using a different port and you have to provide a username and passowrd. If you were to use AT&T’s mail server then your email would be going out as plain text. This should not be too bad because it is encapsulated inside a 3G channel. Unfortunately 3G has been cracked. I would not use AT&T SMTP server for anything that you consider sensitive. AT&T certainly can see the contents of your correspondence.

Another problem with AT&T’s SMTP server cwmx.com (a.k.a. atlmail.cingularme.net) is that it it will only work while you are connected to AT&T’s network. Since the iPad is designed to dynamically switch between Wi-Fi and 3G this could be a problem. I had to create a username and password so it should be possible to set up authentication on the SMTP server.

I understand why they provide this service. I use a computer on a large computer network that also features an unprotected SMTP server that is only accessible from inside the network. In order to send email via that mail server I have to connect via VPN or use some other untrusted server. Then I’m back to the spoofing problem that SPF technologies is designed the thwart. So the open SMTP server is there out of necessity. Don’t use it. Don’t get sucked into thinking it is a good idea to use. Thank you AT&T but not thanks for this service.

2 Replies to “iPad 3G Support Insecure SMTP Server”

  1. Doug,
    thanks for the information. I have a problem with sending e-mail from my cox account through ipad when I am on AT&T. It works fine when I am on WiFi but not when I am connected through AT&T. The e-mail goes to outbox and stays there and then every time I start the e-mail it keeps saying that the e-mail cannot be sent. Do you have an idea why this is and and how to fix this? Do I call Apple, Cox or AT&T? I would appreciate your help.


    Frank Babayi

    1. Calling Apple, Cox, or AT&T is not going to help. The problem is that Cox does not support secure email. I would stop using them for sending email and get an email account with someone who does support secure email.

      In you current configuration when you send an email your computer (or iPad) talks to port 25 using plain text. This means that your username, your password, and the contents of your email are visible to anyone else on the same network as you. If you are at home this includes all of your neighbors since Cox is a cable company. If you are at Starbucks then this includes everyone with a cup of coffee in their hand. It is not secure. Don’t use it. Its amazing to me that these cable companies still have not enabled basic security.

      Cox is a cable company. They got into the Internet business by accident because they already had a line to your house. The Internet access has been retrofitted onto their network. It’s kind of like buying your groceries at 7-Eleven. Yes it can be done but it’s not really a good idea.

      I suggest getting an email account from a company in the email business. The top three are MSN (Hotmail/Live), Yahoo, and GMail. I don’t really care for Hotmail although they are getting better. A lot of Windows users have them and don’t even know it because MSN messenger is running by default on Windows. That’s a great way for Microsoft to bolster their usability numbers. I really don’t like Yahoo because they lock your email down and prevent you from using it except in the manner they proscribe. They are also a company in flux so they are wont to change the services they offer from time to time without notice.

      So the only viable option for me is to suggest GMail. The accounts are free. They use proper and secure standards. You can get to your email on any client. You should go to Gmail.com and sign up.

      So what about your Cox email? I suggest you stop using it. By using it you are tying your on-line identity to your Cable company. What if you decide to cancel cable? Your email address would be lost with your service. Even if you do not cancel your cable, your service could get sold to another company. Just ask all those people who used to have ATT cable accounts and had to change their emails to RoadRunner.

      Once you have your Gmail account set up, go into your Settings and look under accounts. You can add your Cox email there as an additional account. You can have GMail fetch your Cox email and put it right into your GMail inbox. This way you won’t miss a message. When you reply to that email it would be coming from your new email address. Over time, people will start using your new address.

      The GMail account comes with other services like Google Voice, Calendaring, and Docs so you are getting a great value for the free service. I’m looking forward to September when iOS4.x on iPad will support GMail for calendaring and contacts like it does now on iPhone. This gives you a live calendar on your mobile device sync’d back to your desktop. I’ll post more on that later.

      Your GMail account will work securely on your iPad and on your desktop computer’s email program.


Leave a Reply